Analysis
-
max time kernel
700s -
max time network
702s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2023 19:51
Static task
static1
Behavioral task
behavioral1
Sample
pdn.html
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
pdn.html
Resource
win10v2004-20230220-en
Errors
General
-
Target
pdn.html
-
Size
5KB
-
MD5
23b31833a31dcb7a9409b68f3c36b6d4
-
SHA1
70bb69f180320dda3e79a5d2626a1b22b0d22009
-
SHA256
4f2008007e37a831c0198f631a90d1bd654054aab269aefc4fe9b1600bdc6a8b
-
SHA512
c85c8fe434a514d06a0c554721874e1f1b189a4a390669f0c254ac7f65b5e313bb4e40d179ea52e5bcdcedc0e57c85470968770f19cab72ff7eea305f999cdb8
-
SSDEEP
96:DBRUO0qOEZp+jAZbzbnR8hQMwMZAYcIVVCJmqeSLSTfS/STQwBdSTCPC2yyk/lkq:Xd46TnShQMwMRkmqb2eKJqmPC2KXqTCR
Malware Config
Signatures
-
CoreEntity .NET Packer 3 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\paintdotnet.dll coreentity C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\paintdotnet.dll coreentity C:\Windows\Installer\e5a7f05.msi coreentity -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
paint.net.5.0.2.install.anycpu.web.exepaint.net.5.0.2.install.x64.exeSetupFrontEnd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation paint.net.5.0.2.install.anycpu.web.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation paint.net.5.0.2.install.x64.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation SetupFrontEnd.exe -
Executes dropped EXE 8 IoCs
Processes:
paint.net.5.0.2.install.anycpu.web.exeSetupShim.exeSetupDownloader.exepaint.net.5.0.2.install.x64.exeSetupShim.exeSetupFrontEnd.exepaintdotnet.exePaintDotNet.exepid process 3172 paint.net.5.0.2.install.anycpu.web.exe 2156 SetupShim.exe 436 SetupDownloader.exe 5092 paint.net.5.0.2.install.x64.exe 1124 SetupShim.exe 2564 SetupFrontEnd.exe 4604 paintdotnet.exe 3812 PaintDotNet.exe -
Loads dropped DLL 64 IoCs
Processes:
SetupFrontEnd.exepaintdotnet.exepid process 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 2564 SetupFrontEnd.exe 4604 paintdotnet.exe 4604 paintdotnet.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
paintdotnet.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32 paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ = "C:\\Program Files\\paint.net\\PaintDotNet.ShellExtension.x64.dll" paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment" paintdotnet.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
SetupFrontEnd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SetupFrontEnd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\paint.net\clrgc.dll msiexec.exe File created C:\Program Files\paint.net\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Primitives.pdb msiexec.exe File created C:\Program Files\paint.net\paintdotnet.runtimeconfig.json msiexec.exe File created C:\Program Files\paint.net\System.Diagnostics.Tools.dll msiexec.exe File created C:\Program Files\paint.net\System.Threading.Tasks.dll msiexec.exe File created C:\Program Files\paint.net\Bundled\WebPFileType\Third Party Notices.txt msiexec.exe File created C:\Program Files\paint.net\License.txt msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Base.pdb msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.ComponentModel.pdb msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Resources.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Windows.Core.pdb msiexec.exe File created C:\Program Files\paint.net\System.Runtime.CompilerServices.Unsafe.dll msiexec.exe File created C:\Program Files\paint.net\System.Xml.XmlSerializer.dll msiexec.exe File created C:\Program Files\paint.net\UIAutomationClientSideProviders.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Effects.Gpu.xml msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.SystemLayer.dll msiexec.exe File created C:\Program Files\paint.net\System.Net.Quic.dll msiexec.exe File created C:\Program Files\paint.net\System.Threading.Tasks.Parallel.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Framework.pdb msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.UI.pdb msiexec.exe File created C:\Program Files\paint.net\System.Net.Mail.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Data.xml msiexec.exe File created C:\Program Files\paint.net\paintdotnet.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Effects.Core.pdb msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Strings.3.resources msiexec.exe File created C:\Program Files\paint.net\PresentationFramework.Luna.dll msiexec.exe File created C:\Program Files\paint.net\System.Diagnostics.DiagnosticSource.dll msiexec.exe File created C:\Program Files\paint.net\System.Runtime.Serialization.Json.dll msiexec.exe File created C:\Program Files\paint.net\mscorlib.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Strings.3.he.resources msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Windows.xml msiexec.exe File created C:\Program Files\paint.net\System.Drawing.Primitives.dll msiexec.exe File created C:\Program Files\paint.net\System.Net.HttpListener.dll msiexec.exe File created C:\Program Files\paint.net\System.Net.NameResolution.dll msiexec.exe File created C:\Program Files\paint.net\System.Security.Cryptography.X509Certificates.dll msiexec.exe File created C:\Program Files\paint.net\System.Xml.ReaderWriter.dll msiexec.exe File created C:\Program Files\paint.net\clretwrc.dll msiexec.exe File created C:\Program Files\paint.net\msvcp140_2.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Collections.pdb msiexec.exe File created C:\Program Files\paint.net\System.ComponentModel.EventBasedAsync.dll msiexec.exe File created C:\Program Files\paint.net\System.Private.CoreLib.dll msiexec.exe File created C:\Program Files\paint.net\System.ComponentModel.TypeConverter.dll msiexec.exe File created C:\Program Files\paint.net\System.IO.FileSystem.dll msiexec.exe File created C:\Program Files\paint.net\System.Numerics.dll msiexec.exe File created C:\Program Files\paint.net\System.Printing.dll msiexec.exe File created C:\Program Files\paint.net\System.Private.Xml.dll msiexec.exe File created C:\Program Files\paint.net\System.Xml.XPath.XDocument.dll msiexec.exe File created C:\Program Files\paint.net\Resources\es\Images.PayPalDonate.gif msiexec.exe File created C:\Program Files\paint.net\Microsoft.Win32.Registry.AccessControl.dll msiexec.exe File created C:\Program Files\paint.net\Mono.Cecil.Rocks.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Strings.3.sl.resources msiexec.exe File created C:\Program Files\paint.net\PointerToolkit.dll msiexec.exe File created C:\Program Files\paint.net\PresentationUI.dll msiexec.exe File created C:\Program Files\paint.net\System.Net.WebSockets.Client.dll msiexec.exe File created C:\Program Files\paint.net\System.Security.SecureString.dll msiexec.exe File created C:\Program Files\paint.net\System.Text.RegularExpressions.dll msiexec.exe File created C:\Program Files\paint.net\System.Windows.Extensions.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Data.dll msiexec.exe File created C:\Program Files\paint.net\PaintDotNet.Fundamentals.dll msiexec.exe File created C:\Program Files\paint.net\PresentationFramework-SystemData.dll msiexec.exe File created C:\Program Files\paint.net\System.Data.DataSetExtensions.dll msiexec.exe File created C:\Program Files\paint.net\System.Drawing.Common.dll msiexec.exe File created C:\Program Files\paint.net\System.Web.dll msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exePaintDotNet.exedescription ioc process File opened for modification C:\Windows\Installer\{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}\app_icon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSIC95D.tmp msiexec.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log PaintDotNet.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{DBC43589-CC32-4502-BBEC-5B931AF4BD2E} msiexec.exe File created C:\Windows\Installer\{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}\app_icon.ico msiexec.exe File created C:\Windows\Installer\e5a7f05.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a7f05.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA73E.tmp msiexec.exe File created C:\Windows\Installer\e5a7f08.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9731bf4db045d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2258115567" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ce508bb64bd901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "384382476" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2258115567" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4000398bb64bd901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31017910" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31017910" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B1BC3AFC-B7A9-11ED-BDA1-42C2EBB090FB} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca13020000000002000000000010660000000100002000000076047bb8747db7431eb6c0ffc83c45433fc79c0be294459ae30a4ba111fdc35d000000000e8000000002000020000000265b84368794caecc96880ac547c067a73f6fb1c60590daff342de1f6802d98d200000004a74f6a91cba6f5723ef445977511f8801e0720a8c839dd0ce843c483f86e6a940000000e98a1fafc4992f0fe796b35e6b9b2a1bbc08e190e5d7f8c56481a623e7ef45e7870c6eccf4ccbef06d57accf8a171890c2720098594b54d5aecfd5ff52aca901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2294522520" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31017910" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca1302000000000200000000001066000000010000200000004bef85c74998f5a3206974774d4546f7d173c81f0a41bdf008824b6f0e93774d000000000e8000000002000020000000bca3794cd16dc63d1bba51ad3c59e2bb8219af3b46e622606d66b6eeae2ded2720000000ac4187ae8e24f22096b04021d47197c8ae3a07c464fa4e49df47dba3e9c210dd40000000b73950969a09977de754a860da947a93c8e6e7172a6c1d3276d24925428efeae6fcd9e92d36f1de1d4b81f3a35f24c81be2b7166824de0f41e5603738664a91c iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{A4A62196-7649-4BF4-BFFD-943D6671F7C1}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
LogonUI.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "15" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe -
Modifies registry class 64 IoCs
Processes:
paintdotnet.exemsiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32 paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.dds paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command\ = "\"C:\\Program Files\\paint.net\\paintdotnet.exe\" \"%1\"" paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.rle paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\paint.net.1 paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\URL Protocol paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FBF113F1-D7C8-477C-A23A-E600E7937E11}\InprocServer32\ThreadingModel = "Apartment" paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.pdn paintdotnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\print\command paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\edit\command paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ = "paint.net.1" paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell\edit paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\PerceivedType = "image" paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.jfif paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\DefaultIcon paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\DefaultIcon\ = "C:\\Program Files\\paint.net\\paintdotnet.exe,0" paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\shell\open\command paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CLSID paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.png paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.wmp paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.bmp paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids\paint.net.1 paintdotnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\Version = "83886082" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96} paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\OpenWithProgids\paint.net.1 paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.avif\OpenWithProgids paintdotnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider.1\CLSID paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider.1 paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.heic\OpenWithProgids paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids\paint.net.1 paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tga\OpenWithProgids\paint.net.1 paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.webp paintdotnet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04F04A40702A84B4EA7DA65A234E2357 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList\Net\1 = "C:\\Program Files\\paint.net\\Staging\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\shell paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithProgids\paint.net.1 paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\FriendlyTypeName = "paint.net Image" paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paintdotnet\DefaultIcon paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.ThumbnailProvider\CurVer\ = "paint.net.ThumbnailProvider.1" paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\PackageCode = "D3ABCFC2DF1E0544DA82015E6088D941" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\shell\open paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tga paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\CurVer paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdn\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\ = "{FBF113F1-D7C8-477C-A23A-E600E7937E11}" paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tiff paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\paintdotnet.exe\SupportedTypes\.tif paintdotnet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\98534CBD23CC2054BBCEB539A14FDBE2 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\98534CBD23CC2054BBCEB539A14FDBE2\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.dds\OpenWithProgids paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rle\OpenWithProgids\paint.net.1 paintdotnet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\paint.net.1\ = "paint.net Image" paintdotnet.exe -
Processes:
SetupDownloader.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SetupDownloader.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 SetupDownloader.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SetupDownloader.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exemsedge.exemsedge.exepid process 8 msiexec.exe 8 msiexec.exe 4428 msedge.exe 4428 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
SetupFrontEnd.exePaintDotNet.exepid process 2564 SetupFrontEnd.exe 3812 PaintDotNet.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exeSetupDownloader.exeSetupFrontEnd.exevssvc.exemsiexec.exesrtasks.exedescription pid process Token: SeRestorePrivilege 2336 7zG.exe Token: 35 2336 7zG.exe Token: SeSecurityPrivilege 2336 7zG.exe Token: SeSecurityPrivilege 2336 7zG.exe Token: SeDebugPrivilege 436 SetupDownloader.exe Token: SeDebugPrivilege 2564 SetupFrontEnd.exe Token: SeBackupPrivilege 740 vssvc.exe Token: SeRestorePrivilege 740 vssvc.exe Token: SeAuditPrivilege 740 vssvc.exe Token: SeBackupPrivilege 2564 SetupFrontEnd.exe Token: SeRestorePrivilege 2564 SetupFrontEnd.exe Token: SeShutdownPrivilege 2564 SetupFrontEnd.exe Token: SeIncreaseQuotaPrivilege 2564 SetupFrontEnd.exe Token: SeSecurityPrivilege 8 msiexec.exe Token: SeCreateTokenPrivilege 2564 SetupFrontEnd.exe Token: SeAssignPrimaryTokenPrivilege 2564 SetupFrontEnd.exe Token: SeLockMemoryPrivilege 2564 SetupFrontEnd.exe Token: SeIncreaseQuotaPrivilege 2564 SetupFrontEnd.exe Token: SeMachineAccountPrivilege 2564 SetupFrontEnd.exe Token: SeTcbPrivilege 2564 SetupFrontEnd.exe Token: SeSecurityPrivilege 2564 SetupFrontEnd.exe Token: SeTakeOwnershipPrivilege 2564 SetupFrontEnd.exe Token: SeLoadDriverPrivilege 2564 SetupFrontEnd.exe Token: SeSystemProfilePrivilege 2564 SetupFrontEnd.exe Token: SeSystemtimePrivilege 2564 SetupFrontEnd.exe Token: SeProfSingleProcessPrivilege 2564 SetupFrontEnd.exe Token: SeIncBasePriorityPrivilege 2564 SetupFrontEnd.exe Token: SeCreatePagefilePrivilege 2564 SetupFrontEnd.exe Token: SeCreatePermanentPrivilege 2564 SetupFrontEnd.exe Token: SeBackupPrivilege 2564 SetupFrontEnd.exe Token: SeRestorePrivilege 2564 SetupFrontEnd.exe Token: SeShutdownPrivilege 2564 SetupFrontEnd.exe Token: SeDebugPrivilege 2564 SetupFrontEnd.exe Token: SeAuditPrivilege 2564 SetupFrontEnd.exe Token: SeSystemEnvironmentPrivilege 2564 SetupFrontEnd.exe Token: SeChangeNotifyPrivilege 2564 SetupFrontEnd.exe Token: SeRemoteShutdownPrivilege 2564 SetupFrontEnd.exe Token: SeUndockPrivilege 2564 SetupFrontEnd.exe Token: SeSyncAgentPrivilege 2564 SetupFrontEnd.exe Token: SeEnableDelegationPrivilege 2564 SetupFrontEnd.exe Token: SeManageVolumePrivilege 2564 SetupFrontEnd.exe Token: SeImpersonatePrivilege 2564 SetupFrontEnd.exe Token: SeCreateGlobalPrivilege 2564 SetupFrontEnd.exe Token: SeRestorePrivilege 8 msiexec.exe Token: SeTakeOwnershipPrivilege 8 msiexec.exe Token: SeBackupPrivilege 636 srtasks.exe Token: SeRestorePrivilege 636 srtasks.exe Token: SeSecurityPrivilege 636 srtasks.exe Token: SeTakeOwnershipPrivilege 636 srtasks.exe Token: SeBackupPrivilege 636 srtasks.exe Token: SeRestorePrivilege 636 srtasks.exe Token: SeSecurityPrivilege 636 srtasks.exe Token: SeTakeOwnershipPrivilege 636 srtasks.exe Token: SeRestorePrivilege 8 msiexec.exe Token: SeTakeOwnershipPrivilege 8 msiexec.exe Token: SeRestorePrivilege 8 msiexec.exe Token: SeTakeOwnershipPrivilege 8 msiexec.exe Token: SeRestorePrivilege 8 msiexec.exe Token: SeTakeOwnershipPrivilege 8 msiexec.exe Token: SeRestorePrivilege 8 msiexec.exe Token: SeTakeOwnershipPrivilege 8 msiexec.exe Token: SeRestorePrivilege 8 msiexec.exe Token: SeTakeOwnershipPrivilege 8 msiexec.exe Token: SeRestorePrivilege 8 msiexec.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
iexplore.exe7zG.exeSetupFrontEnd.exePaintDotNet.exemsedge.exepid process 4532 iexplore.exe 4532 iexplore.exe 2336 7zG.exe 2564 SetupFrontEnd.exe 3812 PaintDotNet.exe 564 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpaint.net.5.0.2.install.anycpu.web.exeSetupShim.exepaint.net.5.0.2.install.x64.exeSetupShim.exeSetupFrontEnd.exePaintDotNet.exeLogonUI.exepid process 4532 iexplore.exe 4532 iexplore.exe 1604 IEXPLORE.EXE 1604 IEXPLORE.EXE 1604 IEXPLORE.EXE 1604 IEXPLORE.EXE 3172 paint.net.5.0.2.install.anycpu.web.exe 2156 SetupShim.exe 5092 paint.net.5.0.2.install.x64.exe 1124 SetupShim.exe 2564 SetupFrontEnd.exe 3812 PaintDotNet.exe 3812 PaintDotNet.exe 3812 PaintDotNet.exe 3812 PaintDotNet.exe 3812 PaintDotNet.exe 1720 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exepaint.net.5.0.2.install.anycpu.web.exeSetupShim.exeSetupDownloader.exepaint.net.5.0.2.install.x64.exeSetupShim.exemsiexec.exeSetupFrontEnd.exemsedge.exedescription pid process target process PID 4532 wrote to memory of 1604 4532 iexplore.exe IEXPLORE.EXE PID 4532 wrote to memory of 1604 4532 iexplore.exe IEXPLORE.EXE PID 4532 wrote to memory of 1604 4532 iexplore.exe IEXPLORE.EXE PID 3172 wrote to memory of 2156 3172 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 3172 wrote to memory of 2156 3172 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 3172 wrote to memory of 2156 3172 paint.net.5.0.2.install.anycpu.web.exe SetupShim.exe PID 2156 wrote to memory of 436 2156 SetupShim.exe SetupDownloader.exe PID 2156 wrote to memory of 436 2156 SetupShim.exe SetupDownloader.exe PID 436 wrote to memory of 5092 436 SetupDownloader.exe paint.net.5.0.2.install.x64.exe PID 436 wrote to memory of 5092 436 SetupDownloader.exe paint.net.5.0.2.install.x64.exe PID 436 wrote to memory of 5092 436 SetupDownloader.exe paint.net.5.0.2.install.x64.exe PID 5092 wrote to memory of 1124 5092 paint.net.5.0.2.install.x64.exe SetupShim.exe PID 5092 wrote to memory of 1124 5092 paint.net.5.0.2.install.x64.exe SetupShim.exe PID 5092 wrote to memory of 1124 5092 paint.net.5.0.2.install.x64.exe SetupShim.exe PID 1124 wrote to memory of 2564 1124 SetupShim.exe SetupFrontEnd.exe PID 1124 wrote to memory of 2564 1124 SetupShim.exe SetupFrontEnd.exe PID 8 wrote to memory of 4604 8 msiexec.exe paintdotnet.exe PID 8 wrote to memory of 4604 8 msiexec.exe paintdotnet.exe PID 2564 wrote to memory of 3812 2564 SetupFrontEnd.exe PaintDotNet.exe PID 2564 wrote to memory of 3812 2564 SetupFrontEnd.exe PaintDotNet.exe PID 564 wrote to memory of 2988 564 msedge.exe msedge.exe PID 564 wrote to memory of 2988 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 2536 564 msedge.exe msedge.exe PID 564 wrote to memory of 4428 564 msedge.exe msedge.exe PID 564 wrote to memory of 4428 564 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\pdn.html1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4532 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap16387:126:7zEvent284821⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\paint.net.5.0.2.install.anycpu.web.exe"C:\Users\Admin\Desktop\paint.net.5.0.2.install.anycpu.web.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exe"C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exe" /suppressReboot2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\SetupDownloader.exe"x64\SetupDownloader\SetupDownloader.exe" /SkipSuccessPrompt "C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exe" /suppressReboot3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\a16aa55e-bded-4ecc-9287-47ceebdb7724\paint.net.5.0.2.install.x64.exe"C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\a16aa55e-bded-4ecc-9287-47ceebdb7724\paint.net.5.0.2.install.x64.exe" C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\SetupShim.exe"C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.exe"x64\SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\SetupShim.exe" /suppressReboot C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\paint.net\PaintDotNet.exe"C:\Program Files\paint.net\PaintDotNet.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:31⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\paint.net\paintdotnet.exe"C:\Program Files\paint.net\paintdotnet.exe" /setupActions /install DESKTOPSHORTCUT=1 PDNUPDATING=0 SKIPCLEANUP=0 "PROGRAMSGROUP=" /disablePGO /skipEstablishNVProfile /skipRepairAttempt2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5be5c95bhabd7h4427h87efhd3468564eb6d1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ff9096b46f8,0x7ff9096b4708,0x7ff9096b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,16377907601568986710,2459857674175961531,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,16377907601568986710,2459857674175961531,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,16377907601568986710,2459857674175961531,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault69901b17hcc48h4069h8740hd8333899c6041⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9096b46f8,0x7ff9096b4708,0x7ff9096b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5674392825202249278,5591079169188158371,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5674392825202249278,5591079169188158371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5674392825202249278,5591079169188158371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa393d055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5a7f07.rbsFilesize
79KB
MD54708d230440c831d120eb37e5c07a18c
SHA1cf85899f6d9330507f9a2daf47e13ce41a6e2ed8
SHA2561f9e490ae187e99fddb8a07e5a81ff1bf9d9885ac4a20beaa6769668b984a3ec
SHA51295c3aca3016f789b8d6ca3a736bbd5ae10abd01b5e40b843eef2c241fed37bf020c4b957c20469a3e324a9315ffa60b746bf6da19d3f1b8bac3d2bcf81a9e7bb
-
C:\Config.Msi\e5a7f09.rbsFilesize
663B
MD58f8610dc4e69ef3a6fc405af96bb2ae4
SHA19600df49f6131dba40b86258d51f6c224c9c45a5
SHA2560298da6a23b5b0e3bb4ac2bb6eb313a9ff57dec2a932e0ed5add58cd004ca8cf
SHA512122533729dabd33768b8aa248fa32e48edd22b455b0081995c70b9e1fa42796953d03d42da0e6090f042da6e0a1772a51dcbf98c4ed6d8d714495086de34cda7
-
C:\Program Files\paint.net\mscordaccore_amd64_amd64_7.0.323.6910.dllFilesize
1.3MB
MD58753cfc25b8785a7204e522d99ad50f2
SHA1fde44f698b477755aa49cf9717d07ab1fdceadd0
SHA256b9e9aed9f540350284b5274fbb27be1eaae107a339b8e58c89216fb1adf38e05
SHA5122757a03a268f66f3cd766edaadab0a4b6d2f9e6d4fddf3c30608a434e1806c34ad4691c690d9105b9298687114bc5f9b4fc0ea4acdb42254ea78db265f94f5c5
-
C:\Program Files\paint.net\paintdotnet.runtimeconfig.jsonFilesize
449B
MD55653eeba8fa7fcba355024cf1cdc3030
SHA1352596de8ee84a1d18d61c2eb74cad8fe3efe92b
SHA256c3a49dd86d68b783c5bf42d9a03381b68f93e2f7014ec8d2a111078cbc20f03a
SHA5122151d877d38f738091a41b02013c547906c0e4cbccd3d68f720d9a187de02fdf336df3c2c42af38c93835902cec7d601dc0e825145fe23c8a48a51c463035b0a
-
C:\Program Files\paint.net\vcruntime140_cor3.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b8c9383861d9295966a7f745d7b76a13
SHA1d77273648971ec19128c344f78a8ffeb8a246645
SHA256b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e
SHA512094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD591fa8f2ee8bf3996b6df4639f7ca34f7
SHA1221b470deb37961c3ebbcc42a1a63e76fb3fe830
SHA256e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068
SHA5125415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD56035ec22be73a1d2428871f21ae14587
SHA137aece0776e7f925bf14567d810248a57b491059
SHA2569444eae5fcc16f2c689d507548eeac9cc9272f6ea86fa2b3f5726d203dd41016
SHA512bba159bdfc8806a1a2c3cb9a189eae0aba2e37529d92650af9c1a48ac16b6d711bd32c1debbd6f5c14cb42c243ce29e10b8090e3f4ef1d154042a7fdf3350103
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5f646875e7d07ae0a2e62a8685123a6f2
SHA1964d124cb534115f550b8f1002d4b49acaa593bd
SHA2569b0f6478fb8f40478cc3006bd31e498c3c48598c467cb116fe8aa015e8a756e4
SHA5122bb71ae84d5ab0ea2e337142e0452fda4835fd93b2b57d1245a18a364d1d552cedbec2eaa7e618de5b86ddbf172d4b13fc68df75c473a25d6f5f8ef29ed9c59a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD52f97a27219d18124a599522dadf606ca
SHA1b84d8da8cc47df485a4c4b7d64e7f1da4ac85498
SHA256a1a2978343577d55ee58cf98919ee061fa4f258d228cf276afac93986809f9cd
SHA512932b3a9055acf7d67d516063050b45bd1a480ca7eb506bb0845829f081f7d44d4f00eb0a5a57ad88680825d93e13d0b146f4840b10609ba1fe02c14ce55c50a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
3KB
MD52006a217e422ae13022a17a6f40dc722
SHA1085d4d5a3fb71d1b9d8a098f31ba88a98f6f70f7
SHA256a7383ad9bbc8fce37ce5dfa2c3d34d1dd739688f0d3602da2b8002896636c437
SHA5127b0c54aff0a80fd50b6e642c483c50da886c09eaea3565242bcb5d81bf4a8d1fd6c4ded7c9ae1004131994ced7c3d3cbcfc85e25076334f198b9f15a454298f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
3KB
MD53a1a864f3287dbce3248dcc3dfb57de0
SHA146a273eb96b3a382549162668dbcbbefbb9a9bcf
SHA25688b552dcb38b502b6370e39a3faf3555d406d1c360c620482504b441bb65995b
SHA512e320bbb729b9b464d5b01187fb593e65f592a05d22d5d132a4c0e232598225c4ee4f4503c74a1875d1d26f4f2cb0d25e17c765eb648b05771d1bb9c2992c3cc0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\paint.net.5.0.2.install.anycpu.web[1].zipFilesize
734KB
MD5e89beda41843c048e1ac4272433daa6c
SHA124137615dd6eaa6b465aae19966622f1c6be85c2
SHA256ed96caac4a2ea5f3c8a295008cde2cafa667820254ae80a1cd87a9a494f0c739
SHA51230b2c62cf1468afeb8ee8578dc7ccdf5413443bb1a010fec1813c576678a178349e66e4d6a0d00c209102ab460f33e7bb031e0ff1d686a77bc05dde6be2efb51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\Newtonsoft.Json.dllFilesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\SetupDownloader.Configuration.jsonFilesize
135B
MD58ca6779446e31e219589a08769448da2
SHA1efc2d9e4b0f99daf0333406610d8031a5a8aed2f
SHA2562b23a17e993b7837a89365cdd328541f58ddfd4ab2b45285058284eee5733613
SHA512a6a863880835dcca879534ec8a353e2d7fef9c4410edfe41b59bac561492cc6084330c7aad1d2e8a9590b2a3d7551a0b8b6d45ced4d235f01b596d69b593bbf4
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\SetupDownloader.exeFilesize
263KB
MD5bf4f4864bcecd94eefa400a6ae55edbf
SHA1eb106dbbe2c4d659cdd225229f9b82001152295a
SHA256fb50d98597661e5f8386f0ea44f036031547f4e1c806d8aa38717337ed4fea95
SHA5129bc97bbabb8023adb2544f59107a2e56346f787ed4f8ef042210601ad92cba54898d2e099946f87e11d5e72f0f1d637df11f7c028ff4e5ccaab7d265b307fb2b
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\SetupDownloader.exeFilesize
263KB
MD5bf4f4864bcecd94eefa400a6ae55edbf
SHA1eb106dbbe2c4d659cdd225229f9b82001152295a
SHA256fb50d98597661e5f8386f0ea44f036031547f4e1c806d8aa38717337ed4fea95
SHA5129bc97bbabb8023adb2544f59107a2e56346f787ed4f8ef042210601ad92cba54898d2e099946f87e11d5e72f0f1d637df11f7c028ff4e5ccaab7d265b307fb2b
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\SetupDownloader.exeFilesize
263KB
MD5bf4f4864bcecd94eefa400a6ae55edbf
SHA1eb106dbbe2c4d659cdd225229f9b82001152295a
SHA256fb50d98597661e5f8386f0ea44f036031547f4e1c806d8aa38717337ed4fea95
SHA5129bc97bbabb8023adb2544f59107a2e56346f787ed4f8ef042210601ad92cba54898d2e099946f87e11d5e72f0f1d637df11f7c028ff4e5ccaab7d265b307fb2b
-
C:\Users\Admin\AppData\Local\Temp\7zS46C97418\x64\SetupDownloader\SetupDownloader.exe.configFilesize
218B
MD58f692dcbf1e68398b5dac3eba59872b0
SHA118011f5291790b0f49561385731ec5c6ad855415
SHA2568c422938a58df86d88f29c61ff27006f0b3c9bb4742b11486bc5a01a6344129b
SHA512e4bab07f4b9a9f725865e0e9f11fa31a4a1841399044f5976818782739b13d6c2012edf98199c5823ee9ecb3da40e7f3e2f88ab1394547801afa8b5b9dad9e79
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\SetupShim.exeFilesize
136KB
MD5db51c903838632898319669eb2271114
SHA125fa7935e834e56f7757321da7f84aad8d587eee
SHA256babcd035c2f920004fcc922aa23c4fc55949b335b5e920bcec215a51c1e036d4
SHA512a42fd32040317d351f98bf53e0832e1c9dfd7e1b45c5aba44dfbc79f25f88cc19dcb762410840cfa5cd63e8531496dfe25d63937af8758d712d06102e626fdbb
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Base.dllFilesize
718KB
MD51cf53a29e427572615759900ca36c907
SHA10f023f73bed0833154de0282e3a5336879b9ef72
SHA25623cd2f8a4bf0283833e772d583701b2b806273cd8ed2e8c2ac7fbeaf0ebcba2f
SHA512fecd8e43b981bf0206a280eb3008f6156c7939b67d507bd892dc1cca63b4178db0490746da5386885256fc118a03875f0900f014741abfc99dd1958fed3c5fd8
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Base.dllFilesize
718KB
MD51cf53a29e427572615759900ca36c907
SHA10f023f73bed0833154de0282e3a5336879b9ef72
SHA25623cd2f8a4bf0283833e772d583701b2b806273cd8ed2e8c2ac7fbeaf0ebcba2f
SHA512fecd8e43b981bf0206a280eb3008f6156c7939b67d507bd892dc1cca63b4178db0490746da5386885256fc118a03875f0900f014741abfc99dd1958fed3c5fd8
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.ComponentModel.dllFilesize
98KB
MD585a011052f83162b31d78e7c515a8d5e
SHA1be7d91c62ccba4e971bfa0cf82f65d87706d6bc7
SHA25692a847f24993b6d79a8f88f132dc7579b605de97adbb1824676ee41b0604a90f
SHA51297e5369cd63d94fad2fe26dd7340230fb61e68e4884c47442716723233abf0f86f0a413b0ed30efba4c58617c5ddca6f379b581ca07984e948a2522aab60afe3
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.ComponentModel.dllFilesize
98KB
MD585a011052f83162b31d78e7c515a8d5e
SHA1be7d91c62ccba4e971bfa0cf82f65d87706d6bc7
SHA25692a847f24993b6d79a8f88f132dc7579b605de97adbb1824676ee41b0604a90f
SHA51297e5369cd63d94fad2fe26dd7340230fb61e68e4884c47442716723233abf0f86f0a413b0ed30efba4c58617c5ddca6f379b581ca07984e948a2522aab60afe3
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Core.dllFilesize
2.2MB
MD5c8355d166cef6f93f2f47774a0776467
SHA13aad0094ba42ddad5b7f09a269666608ff61ea43
SHA2565b525c55dab076d859b6e295d41f1d11ad72bdd8c4c9f0276d6367b905f0d016
SHA51220697b959024ee159e5dbdc7e0b070294cd531d27ff7aa911b556c91f22f579bc7f57b412172a92c6593a8015370d4a91fdbc299ad4b0a00516cf743f88defc1
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Core.dllFilesize
2.2MB
MD5c8355d166cef6f93f2f47774a0776467
SHA13aad0094ba42ddad5b7f09a269666608ff61ea43
SHA2565b525c55dab076d859b6e295d41f1d11ad72bdd8c4c9f0276d6367b905f0d016
SHA51220697b959024ee159e5dbdc7e0b070294cd531d27ff7aa911b556c91f22f579bc7f57b412172a92c6593a8015370d4a91fdbc299ad4b0a00516cf743f88defc1
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Framework.dllFilesize
1010KB
MD5f577126db967a0eefbdb78ef4f90234c
SHA12913c381e2dc10f35f51fd001e05a5f6d776c43d
SHA25652d9976c5dc0b39d41a2c8e981c348fd481db7c55c32ff894bfb4d0cc49639d6
SHA512168a626a5e4bb0bf77a351c27a8f0d250948e3968570546fcb6f8bc657535da883ba4e6dbeb72d06c7326f2b40454f9c595d79ff5996ab64e8d5040fae774266
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Framework.dllFilesize
1010KB
MD5f577126db967a0eefbdb78ef4f90234c
SHA12913c381e2dc10f35f51fd001e05a5f6d776c43d
SHA25652d9976c5dc0b39d41a2c8e981c348fd481db7c55c32ff894bfb4d0cc49639d6
SHA512168a626a5e4bb0bf77a351c27a8f0d250948e3968570546fcb6f8bc657535da883ba4e6dbeb72d06c7326f2b40454f9c595d79ff5996ab64e8d5040fae774266
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.ObjectModel.dllFilesize
182KB
MD59ed7ba99bbc0d61dd08352a58055b175
SHA1675a0adf156c2a88224483b8469c027e7554d71e
SHA2564118f6e2dea0c8caf0e7b822c52a373af15d8bcdb8038ea8145ac0bd9b25c3c4
SHA5124d498f2604f3ca43912705eb8a19f95a7e930e8babbd5ac0025a0175cd06b1e49d31d5e126100b9fe2fef89c9486ffad7b40695cbb0133c927a01cf2d81484d1
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.ObjectModel.dllFilesize
182KB
MD59ed7ba99bbc0d61dd08352a58055b175
SHA1675a0adf156c2a88224483b8469c027e7554d71e
SHA2564118f6e2dea0c8caf0e7b822c52a373af15d8bcdb8038ea8145ac0bd9b25c3c4
SHA5124d498f2604f3ca43912705eb8a19f95a7e930e8babbd5ac0025a0175cd06b1e49d31d5e126100b9fe2fef89c9486ffad7b40695cbb0133c927a01cf2d81484d1
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Strings.3.co.resourcesFilesize
176KB
MD5d52f605089a5909444cd3d00121b9eca
SHA14585d03750c24cb46cd0d47b271019fdd8248163
SHA25685f434ade1a64d4719fa1759446bc2451cac9c81ff063bf4c54eff684625d815
SHA51237ced0bd1c88c67f2aa6efe7c76566a2f39f3fedae4da245752b844f0cebea0a3e4345e74987bb5102cc461b7b9d1e5a4dc6c1131c01bca485a7790159eb1e5a
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.SystemLayer.dllFilesize
822KB
MD5493573b8673f0cb870bf13e974aee4bb
SHA12eb14acc0752ecbf940bf9a07e818984afde1ef3
SHA256d42522b8a8f17ea6305fedb896ca9d7b0a3cfdc7b19b73b11fbbae4cd3e8c824
SHA512ec7609b44f2df92e65489bf1a9fdbfeb3ea9d478541fd095f649d1fbca84de9a6d917dda650aa149e9a53fd0499945ebff7db1eb10aa8a09298ee77f2ce1cf59
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.SystemLayer.dllFilesize
822KB
MD5493573b8673f0cb870bf13e974aee4bb
SHA12eb14acc0752ecbf940bf9a07e818984afde1ef3
SHA256d42522b8a8f17ea6305fedb896ca9d7b0a3cfdc7b19b73b11fbbae4cd3e8c824
SHA512ec7609b44f2df92e65489bf1a9fdbfeb3ea9d478541fd095f649d1fbca84de9a6d917dda650aa149e9a53fd0499945ebff7db1eb10aa8a09298ee77f2ce1cf59
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Windows.dllFilesize
3.2MB
MD59175025bcbca0f749d6500a842e9f048
SHA1361941df6e4d3e9a4ec1b340a7a1e06c02e85c45
SHA256616009e382db7b7d5f7cb9af73cc501f05a879bb9d67045d483fa69e6ac4a0e3
SHA5124dc770f39cb3489c2c1c1078f35bf50b6e5eec83217863ea57a12d77db70a91d1fc9e5932ec0b32c6de8f54efc8eedcadc3ea18ae383bda95eb59c1c542d18da
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\PaintDotNet.Windows.dllFilesize
3.2MB
MD59175025bcbca0f749d6500a842e9f048
SHA1361941df6e4d3e9a4ec1b340a7a1e06c02e85c45
SHA256616009e382db7b7d5f7cb9af73cc501f05a879bb9d67045d483fa69e6ac4a0e3
SHA5124dc770f39cb3489c2c1c1078f35bf50b6e5eec83217863ea57a12d77db70a91d1fc9e5932ec0b32c6de8f54efc8eedcadc3ea18ae383bda95eb59c1c542d18da
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.deps.jsonFilesize
59KB
MD528b6e9050c62d0117e97e70a5bac36f4
SHA10ba79797c1f1da83353b589a87724c75440df931
SHA2561db2bb606660cf0de98c5260d44f29b17357466d216e90dc937c2e2bf0a1330f
SHA51216166b440b1c81c8a1598da8c2fbeddfb9eb271f9467d2f567543f0a452a2d35fccc2ba231b8b0524de0aeecedc509882d5908b4b99c3b9c703849cf2e9e2450
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.dllFilesize
210KB
MD57661fbc617c62838da8d27fa8fe41e69
SHA1173c1d28c5bec798dd1ba2a6e077809f6cda2abe
SHA2569c06869c94371a1754f90fa0475f3987f1177dff0b5e3b88a555b3971ce78b81
SHA512099165b23c85e0a70e7f337a822d23a9880c7c31f240f0f20bebf186359e17bfc1ccd40d7119f4c16502401e06e8e1a3b7ee5e8cbc4a47160c552a76798044ab
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.dllFilesize
210KB
MD57661fbc617c62838da8d27fa8fe41e69
SHA1173c1d28c5bec798dd1ba2a6e077809f6cda2abe
SHA2569c06869c94371a1754f90fa0475f3987f1177dff0b5e3b88a555b3971ce78b81
SHA512099165b23c85e0a70e7f337a822d23a9880c7c31f240f0f20bebf186359e17bfc1ccd40d7119f4c16502401e06e8e1a3b7ee5e8cbc4a47160c552a76798044ab
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.exeFilesize
162KB
MD5ecd1b6c532545defb118d10bb666575e
SHA13209041ed6b54c274b0a66e6121955b500fd42c5
SHA2565610b309cc56efd174fdf45feec265b086ee9ff55efb0d3862fff81348e78fb0
SHA512dd2522cac5ab3062492851e72892c99a0aa8e2c1d9e056c1fb18fdd882a433dd93a6b1e68f1c49f3de6f4e88f7a684f695a86f82bbd8f3c811ffe0a4b40ee152
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.exeFilesize
162KB
MD5ecd1b6c532545defb118d10bb666575e
SHA13209041ed6b54c274b0a66e6121955b500fd42c5
SHA2565610b309cc56efd174fdf45feec265b086ee9ff55efb0d3862fff81348e78fb0
SHA512dd2522cac5ab3062492851e72892c99a0aa8e2c1d9e056c1fb18fdd882a433dd93a6b1e68f1c49f3de6f4e88f7a684f695a86f82bbd8f3c811ffe0a4b40ee152
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\SetupFrontEnd.runtimeconfig.jsonFilesize
449B
MD55653eeba8fa7fcba355024cf1cdc3030
SHA1352596de8ee84a1d18d61c2eb74cad8fe3efe92b
SHA256c3a49dd86d68b783c5bf42d9a03381b68f93e2f7014ec8d2a111078cbc20f03a
SHA5122151d877d38f738091a41b02013c547906c0e4cbccd3d68f720d9a187de02fdf336df3c2c42af38c93835902cec7d601dc0e825145fe23c8a48a51c463035b0a
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Collections.Specialized.dllFilesize
106KB
MD5d266ccdac8a4beab6b1df38847c06ee3
SHA19ab6aefe5142becb42a24069b2c1df9148d1c9fd
SHA25612737b63f59707891828a0c5fecd716e34aa35be795bb5b19547185104e22aa3
SHA512d100df0e44e34d7b466976093a1fb8287203a29381a34a8f315c5931b4b9fc132024935d02534101570b34a40e80b3972d3061ace5be3b8428ea531d65ebe054
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Collections.Specialized.dllFilesize
106KB
MD5d266ccdac8a4beab6b1df38847c06ee3
SHA19ab6aefe5142becb42a24069b2c1df9148d1c9fd
SHA25612737b63f59707891828a0c5fecd716e34aa35be795bb5b19547185104e22aa3
SHA512d100df0e44e34d7b466976093a1fb8287203a29381a34a8f315c5931b4b9fc132024935d02534101570b34a40e80b3972d3061ace5be3b8428ea531d65ebe054
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.ComponentModel.Primitives.dllFilesize
82KB
MD5facfdafa0ae200ca0633d319a17e0cd1
SHA1534d0549fa4dd93da4edf6b09a0e4fe64488cfd6
SHA2568b176b5697c67ffd3f5ad4ec60bf4efd2bd5d0ad902bb96f6b05ef48bea0124c
SHA512d44cad0fab5d1e150ae806e2e81dbe68caf36d6e64907f43d861c5c7681f93313982a3aa1dd9bb36848d71ee60dfb10548b57f856bd317a9ce70198837fd8e26
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.ComponentModel.Primitives.dllFilesize
82KB
MD5facfdafa0ae200ca0633d319a17e0cd1
SHA1534d0549fa4dd93da4edf6b09a0e4fe64488cfd6
SHA2568b176b5697c67ffd3f5ad4ec60bf4efd2bd5d0ad902bb96f6b05ef48bea0124c
SHA512d44cad0fab5d1e150ae806e2e81dbe68caf36d6e64907f43d861c5c7681f93313982a3aa1dd9bb36848d71ee60dfb10548b57f856bd317a9ce70198837fd8e26
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.ComponentModel.dllFilesize
30KB
MD503529f44b676b450990e523c6c50208a
SHA14046f0095fa3a01ec771d749961e3aed356efaf8
SHA256b69c45559d45e199152ed3b558ec9656fd52ecc05cd0456adccecc72e276ae9e
SHA512ae0610381848bbd5993cb95b2f9c8ba18eace61b496883df7946f8c3509e03fdbd45558e74020045f98dbed95a257743f8a3f055e9b2e519e782b678119c23fe
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.ComponentModel.dllFilesize
30KB
MD503529f44b676b450990e523c6c50208a
SHA14046f0095fa3a01ec771d749961e3aed356efaf8
SHA256b69c45559d45e199152ed3b558ec9656fd52ecc05cd0456adccecc72e276ae9e
SHA512ae0610381848bbd5993cb95b2f9c8ba18eace61b496883df7946f8c3509e03fdbd45558e74020045f98dbed95a257743f8a3f055e9b2e519e782b678119c23fe
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Drawing.Primitives.dllFilesize
134KB
MD598fdeb87ea5ea177d59f9696a8ad4037
SHA17c9e811e273c73e7f1966feade5185bacdab4bfb
SHA2566f9f317c606db86f5e708a991c70641a3b7246a14b8f6b4a771b65111b409c91
SHA512030b179196292a23d9c92c61c0661d00aa2321d91ef6c90e2ffd22d593ded19bce8c22203269e3b6608eb1fa55a1ae9f2102501935299261f30865d073101220
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Drawing.Primitives.dllFilesize
134KB
MD598fdeb87ea5ea177d59f9696a8ad4037
SHA17c9e811e273c73e7f1966feade5185bacdab4bfb
SHA2566f9f317c606db86f5e708a991c70641a3b7246a14b8f6b4a771b65111b409c91
SHA512030b179196292a23d9c92c61c0661d00aa2321d91ef6c90e2ffd22d593ded19bce8c22203269e3b6608eb1fa55a1ae9f2102501935299261f30865d073101220
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Private.CoreLib.dllFilesize
11.1MB
MD5df68b7a4b26558b45a358e300bfd1fff
SHA197172af4477cacc71501e7ad8a7b1c23aa5292ee
SHA256c3c1f001304c11fc0ec037a8aac9348c82aea824f3b50a308aebdf2c47f579b9
SHA512e6d895cf2720a1bbb5138db2cad2aad2e4768ba1934406bb812fb2d5ccdbbb341dcf95ace2d7dd3d0209d5ee8aa143c31f195e7a43912c2a12eff1e411198125
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Private.CoreLib.dllFilesize
11.1MB
MD5df68b7a4b26558b45a358e300bfd1fff
SHA197172af4477cacc71501e7ad8a7b1c23aa5292ee
SHA256c3c1f001304c11fc0ec037a8aac9348c82aea824f3b50a308aebdf2c47f579b9
SHA512e6d895cf2720a1bbb5138db2cad2aad2e4768ba1934406bb812fb2d5ccdbbb341dcf95ace2d7dd3d0209d5ee8aa143c31f195e7a43912c2a12eff1e411198125
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Runtime.InteropServices.dllFilesize
62KB
MD5e31b6fb60d050aa48ff3ef07ee328774
SHA15a28a778566856b8a9a578ea7e72d32b9edf0c30
SHA256f218bca40230158afd7d9c3e0c4e604e6c75d8cc089013c6b86b05670c5ead60
SHA512b5841e4e9e4d26942a68b50d8a4298b636608525a83f2550c5693248ca79c9f221455c35714d958503766f1c571637283b43aac758e36b60873043a301417f5a
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Runtime.InteropServices.dllFilesize
62KB
MD5e31b6fb60d050aa48ff3ef07ee328774
SHA15a28a778566856b8a9a578ea7e72d32b9edf0c30
SHA256f218bca40230158afd7d9c3e0c4e604e6c75d8cc089013c6b86b05670c5ead60
SHA512b5841e4e9e4d26942a68b50d8a4298b636608525a83f2550c5693248ca79c9f221455c35714d958503766f1c571637283b43aac758e36b60873043a301417f5a
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Runtime.dllFilesize
42KB
MD5ed234e38f8a495d72bc9a09c994586bf
SHA1f705cb25476684043e53e218cff38d25c2a39485
SHA2563b3334e456862d406be6d07438c91fd74f5c1eb75d7f2a4a634b2e4c9d1d8da9
SHA512a67ec1cba68870e16b151578c49fb05c0b35c763fa59cf8c791ce2793bea2af402d4e43f155c23ce3aeba1e1004fd5968ebf59ec273c61aea7b6a5a07ecbbf6b
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Threading.dllFilesize
86KB
MD5b5ef5c13ff2ebb10956c4c88dde9291d
SHA1696f9a370d5484e18929aef6e2852c9a1648bd6b
SHA256cd6858a7ffb8cbf1b76100d3aa16968c9ed2dd4e7baa877e804a899920c9b1e5
SHA512a69bd968c8cf54606d8753d77692460687de71c722546780ab468d3df11422a9b9b1cea2a11aea34ee58feb9072773b011659f86feaed3743d53eda6406bd9a3
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Windows.Forms.Primitives.dllFilesize
938KB
MD52c4e345796dad80b1a759e870a8a3ad9
SHA1f2070511c877aa75c33d81a9e389b0b304561b29
SHA2567d8d937eb21dec9b14d7c9850ab4e4ed35371c81951064a52e5dd35d08f258b1
SHA512b73ee44081a86897ea65301a44c1226e11118800ebe5b40dbe524ea6dab89590341768662395175d0faa85956cb80cdc9a9178d9d044ebd30fab08a56fbd37da
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Windows.Forms.Primitives.dllFilesize
938KB
MD52c4e345796dad80b1a759e870a8a3ad9
SHA1f2070511c877aa75c33d81a9e389b0b304561b29
SHA2567d8d937eb21dec9b14d7c9850ab4e4ed35371c81951064a52e5dd35d08f258b1
SHA512b73ee44081a86897ea65301a44c1226e11118800ebe5b40dbe524ea6dab89590341768662395175d0faa85956cb80cdc9a9178d9d044ebd30fab08a56fbd37da
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Windows.Forms.dllFilesize
12.7MB
MD5868c8f0294d962d59e42cd99f84df7db
SHA14000ed87508a8ae6c2f5734c88b36f63aad7cf7e
SHA2560f011e8a2c0e8012460d2d3f8c4f8770479114a7a82190f2cee0d549d0464f3a
SHA51272fb85ba781b5ccda918d1f3935df81ff03ce0db48652647db1242a5c0fccdbeb245489115bc245f0e1f1aad5f1245f4f96f8ed0ff692ff3838adaf4179cb7a7
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\System.Windows.Forms.dllFilesize
12.7MB
MD5868c8f0294d962d59e42cd99f84df7db
SHA14000ed87508a8ae6c2f5734c88b36f63aad7cf7e
SHA2560f011e8a2c0e8012460d2d3f8c4f8770479114a7a82190f2cee0d549d0464f3a
SHA51272fb85ba781b5ccda918d1f3935df81ff03ce0db48652647db1242a5c0fccdbeb245489115bc245f0e1f1aad5f1245f4f96f8ed0ff692ff3838adaf4179cb7a7
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\clrjit.dllFilesize
1.5MB
MD5ece00d3324e879add5c7928dbbb9338c
SHA168e9fe01016c6d0dce5d0e29111b49e60330867b
SHA2566f86ee8b4b17306ab623a2f4310151fec97d98abd774316ce10d40cdb8507a2f
SHA51250b2ef7df03c920b103bfb17363b27d46d953f99217790c9acaa12357940a97fc8b5872e6e1665b88303db6c2bb55ca4175fd3c78c942ad9dd7c72c3c9c66315
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\clrjit.dllFilesize
1.5MB
MD5ece00d3324e879add5c7928dbbb9338c
SHA168e9fe01016c6d0dce5d0e29111b49e60330867b
SHA2566f86ee8b4b17306ab623a2f4310151fec97d98abd774316ce10d40cdb8507a2f
SHA51250b2ef7df03c920b103bfb17363b27d46d953f99217790c9acaa12357940a97fc8b5872e6e1665b88303db6c2bb55ca4175fd3c78c942ad9dd7c72c3c9c66315
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\coreclr.dllFilesize
4.9MB
MD5d221f609769e83ea77fd159f3ae009cd
SHA1a0117b8f30085ee22de5756eb758af8efbd64080
SHA2568f12e8464a0e8009f60e6d30beef4ce2f03e6f890580c567174d48f199e2fe61
SHA512d3624a1b404cfc07632abf69002c4f2131012925f9af5c1d45729b98ab532951dea3f336107746318c6f77f0165914f5acefcceeb60b6658414ab7b3beef8bcd
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\coreclr.dllFilesize
4.9MB
MD5d221f609769e83ea77fd159f3ae009cd
SHA1a0117b8f30085ee22de5756eb758af8efbd64080
SHA2568f12e8464a0e8009f60e6d30beef4ce2f03e6f890580c567174d48f199e2fe61
SHA512d3624a1b404cfc07632abf69002c4f2131012925f9af5c1d45729b98ab532951dea3f336107746318c6f77f0165914f5acefcceeb60b6658414ab7b3beef8bcd
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\hostfxr.dllFilesize
373KB
MD507292fe45226d0860160e191476bd1e7
SHA1d347d1b1f9356fe2d59b1a7c1c32b6799c527b30
SHA2560ee83d7180cc7a716f5d8089bf2bfbed6a3a88d92f2a5519e8ff507ed35b72de
SHA51242c7366b09f87780c8e1153ad556d904d98abb3f6800319893f75d644b0fd350149df64591b72b3f3ebdc51effa7e6c2c15ad0885513e81bd7c6613423ebe3a1
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\hostfxr.dllFilesize
373KB
MD507292fe45226d0860160e191476bd1e7
SHA1d347d1b1f9356fe2d59b1a7c1c32b6799c527b30
SHA2560ee83d7180cc7a716f5d8089bf2bfbed6a3a88d92f2a5519e8ff507ed35b72de
SHA51242c7366b09f87780c8e1153ad556d904d98abb3f6800319893f75d644b0fd350149df64591b72b3f3ebdc51effa7e6c2c15ad0885513e81bd7c6613423ebe3a1
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\hostpolicy.dllFilesize
382KB
MD57d7edb04eef25cc94ccde47f45169ec7
SHA1e155a20bdf4de0487493d44ccd167e36cbfd4af6
SHA256402a29f533cdb6f945fd52c03bafd0330e2a57613f2d6b42b45aa7d929196958
SHA512e3cb1e3bbf31aa9d0ca87e05254b9fe6a9b3e201fe58bf23c9e5ce2a1b6f81fc93f9a51cb65f3ff7575bbfc9a73ef32ac8f9b7195bb2b87bf50e37f64f2f6afb
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\hostpolicy.dllFilesize
382KB
MD57d7edb04eef25cc94ccde47f45169ec7
SHA1e155a20bdf4de0487493d44ccd167e36cbfd4af6
SHA256402a29f533cdb6f945fd52c03bafd0330e2a57613f2d6b42b45aa7d929196958
SHA512e3cb1e3bbf31aa9d0ca87e05254b9fe6a9b3e201fe58bf23c9e5ce2a1b6f81fc93f9a51cb65f3ff7575bbfc9a73ef32ac8f9b7195bb2b87bf50e37f64f2f6afb
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\paintdotnet.dllFilesize
7.8MB
MD53534b6402463fba5d76c2913f7b088ca
SHA1f0f3690651d28708107082834126852d024978c9
SHA256e069c6bd90a91218910cd6a0776eac74c5bc32772659c410362213cfbc779371
SHA512cb4bba8050c4cd5a2044a26bd4ae3bf55e98cbc26e445d6cb19e88de91c8be2419bdef5cf57df63d25fef64aff58e63cf6fd3bea565b222acd749117832e60d0
-
C:\Users\Admin\AppData\Local\Temp\7zS4E3DBAE8\x64\paintdotnet.dllFilesize
7.8MB
MD53534b6402463fba5d76c2913f7b088ca
SHA1f0f3690651d28708107082834126852d024978c9
SHA256e069c6bd90a91218910cd6a0776eac74c5bc32772659c410362213cfbc779371
SHA512cb4bba8050c4cd5a2044a26bd4ae3bf55e98cbc26e445d6cb19e88de91c8be2419bdef5cf57df63d25fef64aff58e63cf6fd3bea565b222acd749117832e60d0
-
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\a16aa55e-bded-4ecc-9287-47ceebdb7724\paint.net.5.0.2.install.x64.exeFilesize
62.0MB
MD5ea9d42d85a902d06cac5a296ad274489
SHA1169daa55bbe24114a3bf73553041fed22119a8f6
SHA2563a93fa5e111285d1704884a325680ced7730d679949d9269794100a931dfee7c
SHA5122d887582f0f407259c24545b0777a744258dae855594f46e0414dd2c23041be2b45ad04d477a6c2e84342c35f5df33b1efc744c620e275a8fea571defd0de9a2
-
C:\Users\Admin\AppData\Local\Temp\PdnSetupDownloader\a16aa55e-bded-4ecc-9287-47ceebdb7724\paint.net.5.0.2.install.x64.exeFilesize
62.0MB
MD5ea9d42d85a902d06cac5a296ad274489
SHA1169daa55bbe24114a3bf73553041fed22119a8f6
SHA2563a93fa5e111285d1704884a325680ced7730d679949d9269794100a931dfee7c
SHA5122d887582f0f407259c24545b0777a744258dae855594f46e0414dd2c23041be2b45ad04d477a6c2e84342c35f5df33b1efc744c620e275a8fea571defd0de9a2
-
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.logFilesize
609B
MD57641991745e3304c28bd3c79fd47ff25
SHA131050b3a0a24fe991d28c768b5a7b9c5a2b23ed7
SHA256ea08bbdb2a30af0fb371d2a25dd27525fce833f0647665ea476faf8a888f232e
SHA5125e6d7ce7fe5ae9270bc7a414c09d3a205d61d6fbf47f44db81ea0e15a7189570edd707976e87fa44065310ae29de306935f5a8cccd46fd18888611bb6b19fd90
-
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.logFilesize
932B
MD512f2f64e74072dc97c8b60e3d0cf92d7
SHA1c692ce63031a58bbe40643cb402fd8984553c752
SHA25688fd9c0c56769fb8d9e4aec623537e267df8257524f07c0da4b2542bb3dcd073
SHA51299a01c95d3e83b5acdb7a52c85cfbb9a8f9a2c3b8434cb522395815cef6679adda147fdb1c3838f20f7e8817473668b8ad5612b565d336758bc08dced4ada27e
-
C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.logFilesize
775B
MD51ef69bbddf8a20ec289593dd441d650e
SHA1b5b24bdfb5e5d0effa37a402999ad9c70a23c3e7
SHA256c902ce2953535d7585bdb82ed5366183cfe54707311cf1172c9f489a3b7121c5
SHA512d94425eedef795fe83e17ec3b384825e595244e44bc4893dd696a34ac1d41919062d9e8a7312594fcd4df7f617d7fca9045fc24f5d3fed16aa5f3d9d1ef4a0ba
-
C:\Users\Admin\AppData\Local\Temp\~DF54F0E46C26B0E17B.TMPFilesize
16KB
MD52c70e2d141a476c140efee84d58ee56c
SHA176f77de258be2edb1dc5e5d7628223b23d45cce3
SHA256330e9d943ea532d528ec3f387e0fce72606bf003b266015b4ca2f6eb859aaf78
SHA512eb8af44a3a3e26e3a5038226ef1d9ff2fe51ad45ce9d4b91d38d83cd367eb17cab01230021d5d821673f17679c70f011b57b649fac58b2b5ba0baa7860b70086
-
C:\Users\Admin\Desktop\paint.net.5.0.2.install.anycpu.web.exeFilesize
1.1MB
MD56a5e8c6eec9ab6ed7088bc35739e52d5
SHA1be77e05970628d62c65b0bd609ef7ab5bb705c8f
SHA2569d3edf7ade8ce94aaa6038e894562229e002a86840835e573caf1116e7b928a5
SHA512e56e5356bee8d6d942f1bee7acd0a31fa03f51a7614df6f7bcdec89ec26cc3e7ea686892325938e7156f23c78814e0a9f04eeff255853939b157004ed6c12ed0
-
C:\Users\Admin\Desktop\paint.net.5.0.2.install.anycpu.web.exeFilesize
1.1MB
MD56a5e8c6eec9ab6ed7088bc35739e52d5
SHA1be77e05970628d62c65b0bd609ef7ab5bb705c8f
SHA2569d3edf7ade8ce94aaa6038e894562229e002a86840835e573caf1116e7b928a5
SHA512e56e5356bee8d6d942f1bee7acd0a31fa03f51a7614df6f7bcdec89ec26cc3e7ea686892325938e7156f23c78814e0a9f04eeff255853939b157004ed6c12ed0
-
C:\Users\Admin\Downloads\paint.net.5.0.2.install.anycpu.web.zip.8dma9nk.partialFilesize
734KB
MD5e89beda41843c048e1ac4272433daa6c
SHA124137615dd6eaa6b465aae19966622f1c6be85c2
SHA256ed96caac4a2ea5f3c8a295008cde2cafa667820254ae80a1cd87a9a494f0c739
SHA51230b2c62cf1468afeb8ee8578dc7ccdf5413443bb1a010fec1813c576678a178349e66e4d6a0d00c209102ab460f33e7bb031e0ff1d686a77bc05dde6be2efb51
-
C:\Windows\Installer\e5a7f05.msiFilesize
204.9MB
MD5de6a045f5ef68a96f1fb0549ec958be9
SHA1d50e72ee01dabf72691895efd5722f448dd28bde
SHA25614fb04493868d2cc676fac34c249691e82fe828b444e98f8cb223cc76d793487
SHA512712f0146a1de0e291f15637dc099c4bf277d96becdec070dc69796398c8961287e88b43fc95caea4bab71563d3e5a11efb2507c68cbd7d8e0275a77ceb2b1055
-
C:\Windows\Installer\{DBC43589-CC32-4502-BBEC-5B931AF4BD2E}\app_icon.icoFilesize
75KB
MD5d47d5e7a8a90d00db1644a40555d14c2
SHA1652eae27caf68d1903616910f46bcca27f6623b0
SHA2569c6063ea5b8a118f1aeab0c201f5bc7fa5d630dcfd80d0c8bf3efe67bfde6953
SHA512ecf923b823e246416ad4f010647a14c764325ff83752d542313ccd74143f800c1d37f14952e02ed78813f0417c94a0e5eccb02daecabf242444cd5d6a635ec8a
-
memory/436-296-0x00000237FF680000-0x00000237FF690000-memory.dmpFilesize
64KB
-
memory/436-293-0x00000237FF680000-0x00000237FF690000-memory.dmpFilesize
64KB
-
memory/436-292-0x00000237FF680000-0x00000237FF690000-memory.dmpFilesize
64KB
-
memory/436-298-0x00000237FF680000-0x00000237FF690000-memory.dmpFilesize
64KB
-
memory/436-297-0x00000237FF680000-0x00000237FF690000-memory.dmpFilesize
64KB
-
memory/436-291-0x00000237E6AE0000-0x00000237E6B02000-memory.dmpFilesize
136KB
-
memory/436-2361-0x00000237FF780000-0x00000237FF929000-memory.dmpFilesize
1.7MB
-
memory/436-289-0x00000237FF480000-0x00000237FF532000-memory.dmpFilesize
712KB
-
memory/436-294-0x00000237FF680000-0x00000237FF690000-memory.dmpFilesize
64KB
-
memory/436-295-0x00000237FF780000-0x00000237FF929000-memory.dmpFilesize
1.7MB
-
memory/436-287-0x00000237E4F50000-0x00000237E4F96000-memory.dmpFilesize
280KB
-
memory/436-383-0x00000237FF780000-0x00000237FF929000-memory.dmpFilesize
1.7MB
-
memory/436-300-0x00000237FF440000-0x00000237FF452000-memory.dmpFilesize
72KB
-
memory/2536-2445-0x00007FF928440000-0x00007FF928441000-memory.dmpFilesize
4KB
-
memory/2564-1918-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1919-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1915-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1913-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1910-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1454-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1470-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1460-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1462-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1466-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1468-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1687-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1476-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/2564-1472-0x00000279E1FE0000-0x00000279E2189000-memory.dmpFilesize
1.7MB
-
memory/3812-2375-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2401-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2402-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2433-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2400-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2399-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2398-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2397-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2396-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2392-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2389-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2379-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2373-0x0000022817500000-0x00000228176A9000-memory.dmpFilesize
1.7MB
-
memory/3812-2366-0x000002281C670000-0x000002281C674000-memory.dmpFilesize
16KB
-
memory/3812-2365-0x000002281C560000-0x000002281C570000-memory.dmpFilesize
64KB